Adding tag=authentication in pan_system logs

PaloAltoNetworks / Splunk-Apps

Palo Alto Networks App for Splunk leverages the data visibility provided by Palo Alto Networks next-generation firewalls and endpoint security with Splunk's extensive investigation and visualization capabilities to deliver an advanced security reporting and analysis tool.

https://splunk.paloaltonetworks.com

ISC License

103 stars 50 forks source link

Adding tag=authentication in pan_system logs #160

Open Daavide opened 3 years ago

Daavide commented 3 years ago

Hi guys, is there a reason why system authentication logs (e.g. admin login, using web gui or ssh) are not tagged with tag=authentication for the CIM Authentication Data Model?

This could be useful for Enterprise Security implementation, since there are rules about authentication problem (e.g. Brute Force) that rely on the Authentication Data Model, so tag=authentication.

Thanks in advance!

EUmbach commented 2 years ago

Impossible! Per Sales and the Pan Docs the TA is Fully [Common Information Model] (CIM) compliant and designed for use with [Splunk Enterprise Security], 100% never any issues....

Did this ever get resolved for you?